U.S. and U.K. authorities have seized the darknet websites run by LockBit, a prolific and destructive ransomware group that has claimed more than 2,000 victims worldwide and extorted over $120 million in payments.
Instead of listing data stolen from ransomware victims who didn't pay, LockBit's victim shaming website now offers free recovery tools, as well as news about arrests and criminal charges involving LockBit affiliates.
Investigators used the existing design on LockBit's victim shaming website to feature press releases and free decryption tools.
LockBit members have executed attacks against thousands of victims in the United States and around the world, according to the U.S. Department of Justice.
LockBit operated as a ransomware-as-a-service group, wherein the ransomware gang takes care of everything from the bulletproof hosting and domains to the development and maintenance of the malware.
Affiliates are solely responsible for finding new victims, and can reap 60 to 80 percent of any ransom amount ultimately paid to the group.
A statement on Operation Cronos from the European police agency Europol said the months-long infiltration resulted in the compromise of LockBit's primary platform and other critical infrastructure, including the takedown of 34 servers in the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States and the United Kingdom.
Europol said two suspected LockBit actors were arrested in Poland and Ukraine, but no further information has been released about those detained.
The DOJ today unsealed indictments against two Russian men alleged to be active members of LockBit.
The government says Russian national Artur Sungatov used LockBit ransomware against victims in manufacturing, logistics, insurance and other companies throughout the United States.
Kondratyev is also charged with three criminal counts arising from his alleged use of the Sodinokibi ransomware variant to encrypt data, exfiltrate victim information, and extort a ransom payment from a corporate victim based in Alameda County, California.
With the indictments of Sungatov and Kondratyev, a total of five LockBit affiliates now have been officially charged.
In June 2023, Russian national Ruslan Magomedovich Astamirov was charged in New Jersey for his participation in the LockBit conspiracy, including the deployment of LockBit against victims in Florida, Japan, France, and Kenya.
LockBit was known to have recruited affiliates that worked with multiple ransomware groups simultaneously, and it's unclear what impact this takedown may have on competing ransomware affiliate operations.
In a lengthy thread about the LockBit takedown on the Russian-language cybercrime forum XSS, one of the gang's leaders said the FBI and the U.K.'s National Crime Agency had infiltrated its servers using a known vulnerability in PHP, a scripting language that is widely used in Web development.
LockBit's data leak site previously featured a countdown timer for each victim organization listed, indicating the time remaining for the victim to pay a ransom demand before their stolen files would be published online.
Mark Stockley, cybersecurity evangelist at the security firm Malwarebytes, said the NCA is obviously trolling the LockBit group and LockBitSupp.
In a press conference today, the FBI said Operation Cronos included investigative assistance from the Gendarmerie-C3N in France; the State Criminal Police Office L-K-A and Federal Criminal Police Office in Germany; Fedpol and Zurich Cantonal Police in Switzerland; the National Police Agency in Japan; the Australian Federal Police; the Swedish Police Authority; the National Bureau of Investigation in Finland; the Royal Canadian Mounted Police; and the National Police in the Netherlands.
The Justice Department said victims targeted by LockBit should contact the FBI at https://lockbitvictims.
The Japanese Police, supported by Europol, have released a recovery tool designed to recover files encrypted by the LockBit 3.0 Black Ransomware.
This Cyber News was published on krebsonsecurity.com. Publication date: Tue, 20 Feb 2024 17:20:12 +0000